[Samba] Domain Admins

Golden Butler golden at cnt.org
Thu May 25 01:51:03 GMT 2006


Also,
  
  Is it necessary to group map groups you're using in samba?  For example:
  
  ntgroup "marketing"  -->  unix group "marketing"
  ntgroup "sales"         -->  unix group "sales"
  
  What are pros and cons to doing this, or is it optional?
  
  -- Delamatrix  _____  

From: Neil Muller [mailto:neil at neologix.net.au]
To: Golden Butler [mailto:golden at cnt.org]
Cc: Samba Mailing List [mailto:samba at lists.samba.org]
Sent: Wed, 24 May 2006 19:22:48 -0500
Subject: Re: [Samba] Domain Admins

Golden Butler wrote:
> Hi,
> 
> I'm trying to set up one of my users to be a domain admin.  I have 
> unix/ldap group called "domainadm" with "user1" a member of the group.  
> When I run "net groupmap list" I get the following:
> 
> Domain Admins (S-1-5-21-186220259-3826000728-3192352269-7033) -> domainadm
> 
> But when I go to log in to the domain with "user1" on a winxp machine, 
> the user isn't able to make administrative changes to the computer.
> 
> Is there something I'm doing wrong?
> 
> - Delamatrix
> 
> SLES9-SP3
> Samba 3.0.20b
> Openldap
> 


I think you may need to check the rid you have used for the Domain 
Admins group. According to 
http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html 
this is one of the well known rids which must be maintained for correct 
functioning of the NT groups systems. You have a rid of 7033 and I think 
it should be 512.


Neil
--
email: neil at neologix.net

  


More information about the samba mailing list